Cisco ASA Certificate-based Remote Access VPN Authentication

In this article, I will demonstrate how to configure a Cisco ASA for digital certificate-based authentication for remote access VPN users.

Prerequisites

  • Admin access to the Cisco ASA
  • Root CA and (if applicable) any sub-CA’s for your users that will connect remotely
  • Users/devices with signed certificates

Demonstration

  • ASAv 9.17(1)7
  • Active Directory Domain
  • AnyConnect client

We will first start by downloading the Root CA which has been used to sign certificates associated with our remote access users and their devices. Once downloaded, we will need to upload this to the ASA. In this demonstration, we will use ASDM to upload the certificate.

Log into your ASA and navigate to Configuration > Device Management > Certificate Management and select ‘CA Certificates’. Add your Root CA and any relevant subordinate CA’s to the ASA. In this demonstration, we won’t perform any certificate revocation checks but in a live environment, I would strongly recommend that you do.

Press ‘Install Certificate’ to add your root CA.

By default, the certificate will be accepted for IPsec and SSL client connections. If you want to change this, you can edit the certificate and select the necessary options from the ‘Advanced’ tab. In this demonstration, we will leave the options that are selected as default.

Now we will focus on the ASA VPN configuration.

Note: Your configuration may differ from the lab environment demonstration.

Navigate to Remote Access VPN > Network (Client) Access > AnyConnect Client Software. You will need to upload the relevant AnyConnect client images to your ASA so that when users connect for the first time, they can download AnyConnect before connecting to the VPN. In this demonstration, I’ve just uploaded one AnyConnect package.

Now select ‘AnyConnect Connection Profile’ and in this demonstration, we will create a new connection profile, specifically for certificate-based authentication.

Once complete, navigate to AnyConnect Client Profile. This is where we will create a client profile for users connecting to the VPN using certificates.

In the first step, give the profile a name and specify the group policy to which you want this profile to be used. The group policy will be the policy that matches the connection profile that was just configured for certificate-based authentication.

Once complete, press ‘OK’.

Now click ‘Edit’ to modify the parameters of the new profile that we’ve just created.

In this demonstration, we are using a Windows machine to connect to the VPN and therefore our demonstration will focus on setting related to Windows. If you have different operating systems connecting to the VPN then you will need to ensure that the relevant settings are configured too.

In ‘Part 1’, we will modify the Certificate store to check the machine certificate store. By default ‘All’ is selected and is usually ok if you don’t want granular control on which certificate store is being used.

We will also change the setting ‘Windows VPN Establishment’ to ‘AllowRemoteUsers’. This will allow remote users to connect.

Navigate to ‘Server List’ and add the hostname/IP address of your ASA’s interface that will be used to terminate VPN connections.

Once done, make sure you save your configuration changes.

Providing that you have all your certificate requirements in check, you should be able to test now. In the example below you can see that my demo machine has successfully connected and that the authentication method is Certificates. Note that some of the configurations such as IP addresses have been omitted.

ciscoasa# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : <Unknown>              Index        : 21
Assigned IP  : <Omitted>        Public IP    : <Omitted>
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384
Bytes Tx     : 19783                  Bytes Rx     : 52201
Pkts Tx      : 12                     Pkts Rx      : 448
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : Certs                  Tunnel Group : CertificateAuth
Login Time   : 13:07:21 UTC Fri Aug 19 2022
Duration     : 0h:03m:20s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a877020001500062ff8b09
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 21.1
  Public IP    : <Omitted> 
  Encryption   : none                   Hashing      : none
  TCP Src Port : 56911                  TCP Dst Port : 443
  Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 26 Minutes
  Client OS    : win
  Client OS Ver: 10.0.19044
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 11574                  Bytes Rx     : 219
  Pkts Tx      : 6                      Pkts Rx      : 0
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
  Tunnel ID    : 21.2
  Assigned IP  : <Omitted>         Public IP    : <Omitted> 
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384
  Encapsulation: TLSv1.2                TCP Src Port : 56924
  TCP Dst Port : 443                    Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Client OS    : Windows
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.9.05042
  Bytes Tx     : 8209                   Bytes Rx     : 53380
  Pkts Tx      : 6                      Pkts Rx      : 463
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: